=====================================
[ BUG: bad unlock balance detected! ]
4.9.80-g550c01d #29 Not tainted
-------------------------------------
syz-executor3/30045 is trying to release lock (mrt_lock) at:
[<ffffffff834e8ee4>] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553
but there are no more locks to release!

other info that might help us debug this:
2 locks held by syz-executor3/30045:
 #0:  (&f->f_pos_lock){+.+.+.}, at: [<ffffffff815d3a5f>] __fdget_pos+0x9f/0xc0 fs/file.c:781
 #1:  (&p->lock){+.+.+.}, at: [<ffffffff815e8e5d>] seq_read+0xdd/0x1290 fs/seq_file.c:178

stack backtrace:
CPU: 1 PID: 30045 Comm: syz-executor3 Not tainted 4.9.80-g550c01d #29
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d3ac78e8 ffffffff81d94b69 ffffffff849b6cf8 ffff8801d5656000
 ffffffff834e8ee4 ffffffff849b6cf8 ffff8801d5656888 ffff8801d3ac7918
 ffffffff81237e04 dffffc0000000000 ffffffff849b6cf8 00000000ffffffff
Call Trace:
 [<ffffffff81d94b69>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d94b69>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81237e04>] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3398
 [<ffffffff812408d8>] __lock_release kernel/locking/lockdep.c:3540 [inline]
 [<ffffffff812408d8>] lock_release+0x6f8/0xb80 kernel/locking/lockdep.c:3775
 [<ffffffff838b2fda>] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline]
 [<ffffffff838b2fda>] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255
 [<ffffffff834e8ee4>] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553
 [<ffffffff815e9803>] seq_read+0xa83/0x1290 fs/seq_file.c:283
 [<ffffffff816c24ff>] proc_reg_read+0xef/0x170 fs/proc/inode.c:202
 [<ffffffff8156cc21>] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714
 [<ffffffff81570a90>] do_loop_readv_writev fs/read_write.c:880 [inline]
 [<ffffffff81570a90>] do_readv_writev+0x520/0x750 fs/read_write.c:874
 [<ffffffff81570d44>] vfs_readv+0x84/0xc0 fs/read_write.c:898
 [<ffffffff81570e66>] do_readv+0xe6/0x250 fs/read_write.c:924
 [<ffffffff81574357>] SYSC_readv fs/read_write.c:1011 [inline]
 [<ffffffff81574357>] SyS_readv+0x27/0x30 fs/read_write.c:1008
 [<ffffffff838b346e>] entry_SYSCALL_64_fastpath+0x29/0xe8
netlink: 17 bytes leftover after parsing attributes in process `syz-executor2'.
netlink: 17 bytes leftover after parsing attributes in process `syz-executor2'.
device gre0 entered promiscuous mode
device lo left promiscuous mode
binder: 30473:30478 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0
device lo entered promiscuous mode
device lo left promiscuous mode
audit_printk_skb: 1855 callbacks suppressed
audit: type=1400 audit(1517959031.734:23268): avc:  denied  { net_admin } for  pid=3902 comm="syz-executor3" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517959031.764:23269): avc:  denied  { net_admin } for  pid=3902 comm="syz-executor3" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517959032.014:23270): avc:  denied  { net_admin } for  pid=3900 comm="syz-executor4" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517959032.014:23271): avc:  denied  { dac_override } for  pid=30616 comm="syz-executor6" capability=1  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517959032.014:23272): avc:  denied  { dac_override } for  pid=30616 comm="syz-executor6" capability=1  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517959032.024:23273): avc:  denied  { net_admin } for  pid=27586 comm="syz-executor1" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517959032.034:23274): avc:  denied  { sys_admin } for  pid=30628 comm="syz-executor1" capability=21  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517959032.044:23275): avc:  denied  { net_admin } for  pid=3903 comm="syz-executor6" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517959032.044:23276): avc:  denied  { net_admin } for  pid=30617 comm="syz-executor2" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517959032.044:23277): avc:  denied  { dac_override } for  pid=30618 comm="syz-executor0" capability=1  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
binder: BINDER_SET_CONTEXT_MGR already set
binder: 30651:30652 ioctl 40046207 0 returned -16
device eql entered promiscuous mode
device gre0 entered promiscuous mode
device lo entered promiscuous mode
device lo left promiscuous mode
device lo entered promiscuous mode
device lo left promiscuous mode
device lo entered promiscuous mode
device lo left promiscuous mode
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
qtaguid: iface_stat: create6(lo): no inet dev
A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
qtaguid: iface_stat: create6(lo): no inet dev
A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.
IPVS: length: 24 != 3145848
audit_printk_skb: 2577 callbacks suppressed
audit: type=1400 audit(1517959036.744:24132): avc:  denied  { net_admin } for  pid=3893 comm="syz-executor7" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517959036.774:24133): avc:  denied  { net_admin } for  pid=3901 comm="syz-executor5" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517959036.774:24134): avc:  denied  { net_admin } for  pid=3901 comm="syz-executor5" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517959036.784:24135): avc:  denied  { net_admin } for  pid=31659 comm="syz-executor1" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517959036.794:24136): avc:  denied  { dac_override } for  pid=31636 comm="syz-executor3" capability=1  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517959036.794:24137): avc:  denied  { dac_override } for  pid=31636 comm="syz-executor3" capability=1  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517959036.804:24138): avc:  denied  { dac_override } for  pid=31636 comm="syz-executor3" capability=1  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517959036.804:24139): avc:  denied  { net_admin } for  pid=27586 comm="syz-executor1" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517959036.814:24140): avc:  denied  { net_admin } for  pid=3898 comm="syz-executor2" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1517959036.814:24141): avc:  denied  { net_admin } for  pid=3898 comm="syz-executor2" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
binder: release 31768:31773 transaction 605 in, still active
binder: send failed reply for transaction 605 to 31768:31791
binder: BINDER_SET_CONTEXT_MGR already set
binder: 31768:31773 ioctl 40046207 0 returned -16
binder_alloc: 31768: binder_alloc_buf, no vma
binder: 31768:31791 transaction failed 29189/-3, size 0-0 line 3127
binder: release 31768:31791 transaction 606 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_COMPLETE
binder: send failed reply for transaction 606, target dead
binder: undelivered TRANSACTION_ERROR: 29189